Re: [fw-wiz] Pix VPN endpoint and split-tunnel

From: Greg Spath (gkspath_at_armstrong.com)
Date: 10/17/05

  • Next message: Jay Archibald: "Re: [fw-wiz] Legal Release for Security Work"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 17 Oct 2005 16:31:37 -0400
    
    

    On Wed, 12 Oct 2005 10:45:10 -0400
    "Paul Melson" <pmelson@gmail.com> wrote:

    > -----Original Message-----
    > Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    >
    > > I am trying to configure a cisco pix as a vpn endpoint for the
    > > cisco vpn
    > client and
    > > would like to force the client to use the corporate network for
    > > internet
    > access. I
    > > don't want to allow split-tunnel. I cant find any info on how to
    > > do this.
    > Is split
    > > tunnel the only way to give a vpn client internet access once they
    > > are
    > connected?
    >
    > The short answer is yes. PIX-fu rule #1: the PIX is not a router.
    > It can't take traffic that arrives on one interface and pass it back
    > out that same interface, even when the traffic arrives via VPN
    > tunnel. That said, you can sort of solve this problem by having the
    > clients use a proxy server while connected via full tunnel. There
    > may or may not be an elegant way to automate this for your road
    > warriors, but this would really be independent of anything the PIX or
    > VPN client do. (Think login scripts, Group Policy, etc.)

    Not being a PIX admin, I didn't want to jump on this thread. I know
    that the contivity VPN gateways/clients that we use can be configured to
    not allow split-tunneling, and assumed pix could do the same.

    Anyway, on the subject of login scripts, group policy, etc, here is what
    I do for my alternate PPP over SSH solution on my linux laptop. The info
    may or may not help, but I thought I'd share. Yes, it's pretty basic
    when you see it, but it took me awhile to see this rather obvious
    solution :)

    On VPN Connect:
    1) create static route to remote gateway
    2) remove default route
    3) set new default route to internal server address (VPN endpoint,
    virtual address), and let that box do my routing.

    On Disconnect:
    1) restore default gateway to original
    2) remove static route to remote gateway

    This will route all traffic through your tunnel, but is not really a
    "split tunnel" because you can still hit your local subnet, and other
    hosts on that subnet can still reach you. That can be dealt with using
    firewall rules of some sort, not sure how easy that would be on a
    windows PC.

    >
    > If it's a big enough issue that you're willing to spend time and
    > resources on it, I would recommend looking at the VPN3K concentrators
    > (or ASA 5500?). They can do exactly what you're asking for, plus they
    > possess a number of other features for managing VPN client users that
    > the PIX doesn't have. (Like dynamic VPN profile assignment via
    > RADIUS.)

    Agreed there. That is why we use Nortel contivities for our clients.
    The contivity is very good at providing client VPN with 2 factor auth.

    Good luck,

    -- Greg

    -- 
    Greg Spath <gkspath@armstrong.com>                        
    Infrastructure Security Analyst    
    Armstrong World Industries, Inc.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Jay Archibald: "Re: [fw-wiz] Legal Release for Security Work"

    Relevant Pages

    • Re: VPN Routing Problem
      ... "route print" showed the absence of any path for 172.16.200.0 traffic, which of course is why it was getting routed through the default gateway. ... Of course, when the VPN Server decides to allocate a different IP address to the client, I wonder if the route will once more fail? ... I can't put IP reservations onto the DCHP server associated with the VPN service, so can only influence the range of IP addresses given. ...
      (alt.os.windows-xp)
    • Re: VPN Routing Problem
      ... Adding the correct route via the route ... I've run the ipconfig command on client and server and some ... On the VPN Server subsequent to a successful VPN connection from the vpn ... Results of trying to Ping the KWF6 host by name from the VPN client ...
      (alt.os.windows-xp)
    • RE: Connecting to resources over a SBS 2003 VPN
      ... Now the server is on a different IP range the VPN works perfectly. ... i seem to only be able to connect one client at a time ... the system uses route table to route IP traffics. ...
      (microsoft.public.windows.server.sbs)
    • Re: Adding Static route
      ... The server is a TS server for VPN clients. ... Our VPN does not have a problem because it will route ... back to the external IP of the client but the client cannot get to our ... I was thinking about putting the default gateway on the 172.xxx. ...
      (microsoft.public.windows.server.networking)
    • Re: VPN & FTP Question
      ... that the remote client is XP Pro SP2. ... I'm guessing that it is somethint to do with retaining the "route add" ... > default gateway will be changed to the VPN connection once the VPN ... > simply turn off the Use default gateway on remote host in the TCP/IP ...
      (microsoft.public.windows.server.sbs)